In this issue:
- President Trump Signs Law Establishing DHS Cybersecurity and Infrastructure Security Agency
GENERAL SECURITY & RESILIENCE
- California Wildfires Update - Containment Increases, as Threat of Flash Floods Looms
- (U//FOUO) Winter Holiday Season Threat Awareness
- Make Time for “Media Jihad” Every Day, Pro-Islamic State Magazine Tells Youths
- The Four Men Behind Melbourne’s Deadliest Terror Plot
- Examination of Phishing Campaign by APT29, aka “Cozy Bear”
- Op-Ed Highlights Sector’s Cybersecurity Vulnerabilities
- Forty-eight Percent of Electric Utility CEOs Think a Cybersecurity Attack is Inevitable
- Holiday Scams and Malware Campaigns
- Teledyne DALSA Sherlock (ICSA-18-324-01)
- Schneider Electric Modicon M221 (ICSA-18-324-02)
- NUUO CMS (Update A) (ICSA-18-284-02)
- Adobe Releases Security Updates
- November 28: Water Sector Cyber Threat Web Briefing
- December 6: EPA Webinar on Sampling Guidance for Unknown Contaminants
- December 13: EPA Webinar on Water Contaminant Information Tool (WCIT)
- December 18: EPA Webinar on Free Analytical Preparedness Full-Scale Exercise (AP-FSE) Toolkit
- DHS IP Partnership Bulletin Events
President Trump Signs Law Establishing DHS Cybersecurity and Infrastructure Security Agency
On November 16, President Trump signed into law the Cybersecurity and Infrastructure Security Agency Act of 2018, establishing the Cybersecurity and Infrastructure Security Agency (CISA). As discussed in the November 15 SRU, CISA replaces and reorganizes what was previously the National Protection and Programs Directorate (NPPD). The establishment of CISA is also intended to elevate the agency’s cybersecurity mission within DHS and streamline operations to help it better secure the nation’s critical infrastructure. Chris Krebs, who was formerly the NPPD Undersecretary, now serves as the CISA Director. Learn more about CISA by reading a letter from Director Krebs, which has been posted to the WaterISAC portal along with a CISA fact sheet. Read more at WaterISAC.
GENERAL SECURITY AND RESILIENCE
California Wildfires Update - Containment Increases, as Threat of Flash Floods Looms
In the past week, firefighters have made significant progress containing the Camp and Woolsey fires that have burned in Butte County (Northern California) and in Los Angeles and Ventura Counties (Southern California), respectively.
The Camp Fire has caused 79 fatalities (it has already been categorized as the deadliest fire in California history). It has burned approximately 150,000 acres and has destroyed nearly 15,000 residential and commercial properties; it is currently threatening an additional 14,500 structures. The Camp Fire is 70% contained, and full containment is not expected until November 30. Rain is expected for the area by tomorrow, but this could create flash flood conditions. The National Weather Service has issued a Flash Flood Watch for Butte County for November 21 to 23.
The Woolsey Fire has burned nearly 100,000 acres, killing three people and destroying about 1,500 structures. With the Woolsey Fire nearly fully contained, it is threatening no additional structures.
The U.S. Department of Homeland Security reports that some water utility infrastructure has been destroyed in the affected communities. Boil water advisories remain in effect for impacted communities around the Camp and Woolsey fires. WaterISAC has posted Infrastructure Impact Summaries as well as Situation Reports from DHS. Read more at WaterISAC.
(U//FOUO) Winter Holiday Season Threat Awareness
The U.S. Department of Homeland Security has published an Intelligence Note to provide context on the potential for terrorist threats during the 2018 winter holiday season, which it considers to be the Thanksgiving holiday through Presidents’ Day. This product includes an outlook for potential terrorist activity during this time, an examination of past terrorist attacks that highlight tactics that might be used, and lists of indicators of malicious activity and resources to help organizations protect themselves. Read more at WaterISAC. FOR U.S. MEMBERS.
Make Time for “Media Jihad” Every Day, Pro-Islamic State Magazine Tells Youths
Earlier this month, multiple pro-Islamic State media outlets released the second issue of the “Youth of the Caliphate” magazine. The issue featured articles, posters, and infographics praising the mujahideen, encouraging Muslims to carry out jihadist operations against “Crusaders,” and highlighting the role of online jihadists in supporting the Islamic State. In an article titled “Media Jihad,” the magazine emphasized the role of online jihadists and encouraged them to dedicate time every day to supporting the Islamic State online by purchasing a phone or a laptop to be exclusively used for online jihadi activities, requesting and activating social media accounts. Another article titled “Oh, Supporters of the Caliphate” urges online jihadists to republish productions released by official Islamic State media foundations and encourages them to join “publishing brigades” and focus on social media to target the general public. Homeland Security Today.
The Islamic State’s current propaganda efforts were the subject of one of the featured articles in this month’s Sentinel magazine (which was included in the November 13 SRU), a publication of West Point’s Combating Terrorism Center. The story’s author discusses how the Islamic State has shifted its narrative to its commitment to a long war in which it will ultimately prevail given its recent battlefield defeats and territorial losses. For all of the messaging the Islamic State is disseminating to its sympathizers the author concludes that the group will remain dangerous for the foreseeable future.
The Four Men Behind Melbourne’s Deadliest Terror Plot
An article from the Sydney Morning Herald describes the backgrounds of four men who planned to attack Melbourne, Australia’s most populated places with bombs and knives on or around Christmas in 2016. It discusses how they became radicalized and worked together to develop their plot. Police arrested the men before they could actually execute their plot, which likely would have resulted in Melbourne’s deadliest terror attack. At least two of the men attempted to travel overseas to join the Islamic State, but they were stopped by Australian authorities at the airport who refused to allow them to depart the country. It is likely that these activities, as well as time spent interacting with like-minded jihadists on online forums and purchasing suspicious items that could be used in attacks, were what caught the attention of authorities who eventually arrested the group. The Sydney Morning Herald.
Examination of Phishing Campaign by APT29, aka “Cozy Bear”
Cybersecurity firm FireEye reports it has detected intrusion attempts against multiple critical infrastructure sectors by the threat group it refers to as “APT29.” The latest campaign by the group involves a phishing email appearing to come from a public affairs official at the U.S. Department of State. The email includes zip files containing malicious Windows shortcuts that deliver a Cobalt Strike Beacon backdoor, which had been customized by the attacker to blend in with legitimate network traffic. FireEye’s posting includes numerous technical details that organizations can use to help defend their networks against this activity. FireEye suspects that APT29, which is also referred to as “Cozy Bear,” has links to the Russian government. FireEye.
Op-Ed Highlights Sector’s Cybersecurity Vulnerabilities
The New York Times has published an op-ed piece on water system cybersecurity. The article’s authors, who include the special agent in charge of the FBI’s New York Special Operations and Cyber Division, assert that water systems are vulnerable to “a wide range of hackers.” Among other incidents and threats, the column references a 2016 breach of a water utility, which was actually a composite of several incidents that was presented in a Verizon cybersecurity report (read more at WaterISAC). The authors call for additional applied cybersecurity guidance from federal agencies and recommend rapid and frequent sharing of incident information within the sector. The New York Times.
Forty-eight Percent of Electric Utility CEOs Think a Cybersecurity Attack is Inevitable
According to a survey performed by KPMG, 48% of electric utility CEOs think a cyber attack against their organization is more a matter of “when” and not “if.” The survey also found that cybersecurity was among the top concerns for these CEOs, triggered in part by concerns from past incidents and intrusion attempts involving the electricity sector, some of which are highlighted in the narrative. The survey also found that 58% of CEOs felt prepared to identify a cybersecurity threat and 59% identified cybersecurity specialists as the most important new role in their company. If a cyber attack were to occur, 68% felt prepared to manage external stakeholders and 63% were confident they can contain any impact on strategic operations. Utility Dive.
Holiday Scams and Malware Campaigns
The NCCIC has published an advisory reminding partners to be aware of seasonal scams and malware campaigns. It advises partners to be cautious of unsolicited emails that contain malicious links or attachments with malware, advertisements infected with malware, and requests for donations from fraudulent charitable organizations, which could result in security breaches, identify theft, or financial loss. The advisory includes a series of recommended protective actions as well as response measures for victims. NCCIC/US-CERT.
Perch Indicators - 20 Nov 2018
After a brief respite last week, WaterISAC has resumed entering indicators of compromise (IoCs) into the Perch Security network monitoring platform. For this week, there have been 82 IoCs entered. Perch users subscribed to the WaterISAC Community will be able to detect the following within their environments:
- Currently observed Emotet spam campaign activity as of 09 November 2018
- Microsoft Office online video abuse delivers URSNIF information stealer
- Muhstik botnet targeting phpMyAdmin servers
- Cryptocurrency mining malware WebCobra
Want to know more about Perch, an add-on service to a WaterISAC membership for detecting malicious activity on networks? Please contact WaterISAC’s Michael Arceneaux at email@example.com or 202-331-0479.
Teledyne DALSA Sherlock (ICSA-18-324-01)
The NCCIC has released an advisory on a stack-based buffer overflow vulnerability in Teledyne DALSA Sherlock. Version 18.104.22.168 and prior are affected. Successful exploitation of this vulnerability could crash the device being accessed; a buffer overflow condition may allow remote code execution. Teledyne DALSA recommends users upgrade to Sherlock Version 22.214.171.124 or later. The NCCIC also recommends a series of defensive measures to minimize the risk of exploitation of these vulnerabilities. NCCIC/ICS-CERT.
Schneider Electric Modicon M221 (ICSA-18-324-02)
The NCCIC has released an advisory on an insufficient verification of data authenticity vulnerability in Schneider Electric Modicon M221. All versions of this product are affected. Successful exploitation of this vulnerability could cause a change of IPv4 configuration (IP address, mask, and gateway) when remotely connected to the device. Schneider Electric recommends a series of mitigations to reduce the risk. The NCCIC also recommends a series of defensive measures to minimize the risk of exploitation of these vulnerabilities. NCCIC/ICS-CERT.
NUUO CMS (Update A) (ICSA-18-284-02)
The NCCIC has updated this advisory with additional information on the technical details of the vulnerability. This advisory was initially published on October 11, 2018. NCCIC/ICS-CERT.
Adobe Releases Security Updates
Adobe has released security updates to address a vulnerability in Adobe Flash Player. An attacker could exploit this vulnerability to take control of an affected system. The NCCIC encourages users and administrators to review Adobe Security Bulletin APSB18-44 and apply the necessary updates. NCCIC/US-CERT.
Water Sector Cyber Threat Web Briefing
Wednesday, November 28, 2018, 2:00 – 3:00 PM ET; webinar
On November 28, WaterISAC will convene its monthly Water Sector Cyber Threat Web Briefing. Among other information pertaining to the latest cyber threats facing the water and wastewater sector, Salim Neino of Kryptos Logic will brief on the Emotet malware. Emotet has recently been observed targeting water and wastewater utilities and was blamed for dropping the Ryuk ransomware in a successful attack on a North Carolina water utility in October. WaterISAC Lead Analyst Chuck Egli will discuss highlights from Dragos Industrial Security Conference 2018, which he attended on November 5. Register at WaterISAC.
EPA Webinar – Sampling Guidance for Unknown Contaminants
Thursday, December 6, 2018; 11:00 a.m. – 12:00 p.m. ET; webinar
The Water Laboratory Alliance's “Sampling Guidance for Unknown Contaminants in Drinking Water” provides comprehensive guidance on sample collection, preservation and transport when dealing with unknown contaminants in drinking water. This training, intended for utilities, emergency responders and laboratory personnel, covers:
- The challenge of dealing with unknown contaminants
- How the Sampling Guidance can help your organization
- An overview of the Sampling Guidance
- Available EPA support
EPA Webinar – Water Contaminant Information Tool (WCIT)
Thursday, December 13, 2018; 1:00 – 2:00 p.m. ET; webinar
The Water Contaminant Information Tool (WCIT) is a secure on-line database with comprehensive information about chemical, biological and radiochemical contaminants of concern for the Water Sector. This training, intended for members of the water utility, laboratory and emergency response communities, covers:
- An overview of WCIT
- A description of the information contained within WCIT
- How the tool can be used
- The benefits of use for different stakeholders
EPA Webinar – Free Analytical Preparedness Full-Scale Exercise (AP-FSE) Toolkit
Tuesday, December 18, 2018; 1:00 – 2:00 p.m. ET; webinar
EPA’s newly released Analytical Preparedness Full-Scale Exercise (AP-FSE) Toolkit is a comprehensive guide to planning and executing a multi-organization exercise to simulate a water emergency, with a focus on tools and best practices for laboratory analytical support. This webinar, intended for members of the water utility, laboratory and emergency response communities, covers:
- How an AP-FSE can increase preparedness
- An overview of the contents and functionality of the Toolkit
- How you can get started planning an exercise of your own
- Available EPA support
DHS IP Partnership Bulletin Events (November 6, 2018 Edition)
The U.S. Department of Homeland Security Office of Infrastructure Protection (IP) has published the latest version of its Partnership Bulletin, which provides a snapshot of upcoming training and exercise opportunities, critical infrastructure events, and key announcements. Some of the events include:
- The annual conference of the International City County Management Association (ICMA), which will be held in Nashville, Tennessee from October 20 to 23, 2019 (the last conference, conducted in Baltimore in September 2018, included a session on disaster recovery assessment);
- Russian Activity Against Critical Infrastructure Briefing, which was conducted in July 2018 and for which the recording is now available online;
- Risk Management Process and Facility Security Committee Training, with convenings in Seattle, Washington on December 4 and Portland, Oregon on December 6;
- Corporate Security Symposia, which is intended to inform public and private sector audiences on the most challenging security issues the nation faces today, with convenings in Los Angeles, California on December 6; Biloxi, Mississippi on March 20, 2019; Norfolk, Virginia on April 3, 2019; and Bentonville, Arkansas on August 14, 2019; and
- DHS Office of Bombing Prevention Training Courses, with both computer-based and in-person training opportunities on a variety of topics from now until late-December.